Considerations when Proxying & Filtering Https traffic

To provide secure sessions between your users and websites that have sensitive information or require authentication, HTTPS encrypts web content between the website server and the user’s browser. While the traffic between the two is encrypted during a HTTPS session, the content that is delivered is just as likely to be infected with viruses or other malware as content from non-encrypted sites. As the traffic is secured and encrypted between the client and website the proxy/filter/firewall is unable to inspect the traffic.  To scan encrypted content, it must first be decrypted, then scanned, then re-encrypted for delivery to the requesting end user’s browser.

Doing this maintains the privacy of the encrypted content, as the process is done automatically without human eyes viewing the content. However, because the traffic has been decrypted, the original site certificate cannot be used by the browser to authenticate the connection, so the original certificate is replaced by one generated by the proxy/filter/firewall. This replaces the original certificate, which requires that you download and install the generated certificate authority into your users’ browsers, which can be done centrally using Active Directory Group Policy Objects for domain joined clients.

Probably the largest example of a secure website used in education is the google search engine.  By default Google will redirect users to a secure version of the site, if you are not decrypting as explained above then the searches & results within the search engine are invisible to the proxy/filter/firewall and therefore cannot be filtered or inspected.  Particularly with the general introduction of multiple client device types within education we strongly recommend implementing an appropriate solution that can manage secure web traffic effectively and efficiently across all internal networks and devices.  There are a number of considerations when implementing an appropriate solution such as the ability to decrypt and scan as above, the associated performance overhead, certificate management on client devices, impact on users and the fact some secure websites just will not work when decrypting & Scanning (after all you are simulating a ‘Man in the Middle Attack’!)

For a number of years now we have been working closely with Sophos and have implemented a large number of their Security Gateway products to predominately perform the Web Filtering and Firewall roles within educational sites.  The security gateway’s utilise high spec hardware and can perform the decrypt & scan method but also has other functions for managing Https traffic.  The added advantage though is the combination of the functions available and the flexibility of configuration, this allows us to implement a secure solution that satisfies the requirements of each differing site.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s